Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPsec Road Warrior - can not pass web traffic from client through the tunnel.

    Scheduled Pinned Locked Moved IPsec
    5 Posts 2 Posters 1.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      LeSilverFox
      last edited by

      Hello Everyone,

      I have an issue with my road warrior configuration that I can not overcome and it’s been driving me crazy - I hope someone out there can help me with it.

      I’m running pfsense 2.2.6 and setup the Ipsec tunnel following this guide: https://doc.pfsense.org/index.php/IPsec_Road_Warrior/Mobile_Client_How-To

      Initially, as part of the Phase 2 configuration  I set the ’Local Network’ parameter to Lan subnet and it was all working fine. I could access all the hosts sitting on the lan perfect, stream video over the tunnel, etc.

      Now, I wanted to pass all the traffic, including my web traffic from my iPhone, back to my home to use my private internet connection.  I changed the  ‘Local Network’ parameter to 0.0.0.0/0 but that seem to break things -  The tunnel comes up but I can no longer connect to my hosts and can not browse the web ? Needless to say, if I change the configuration back to Lan subnet, it seem to work the way it was before.

      I have been searching this site for ideas but many of the earlier posts refer to different versions of pfsense and I’m not sure of this plays any part. I looked at my firewall logs but there isn;t anything being blocked. After about a week of trying things on my own, I realized I need help.

      Could someone help me please to resolve this…many thanks in advance.

      1 Reply Last reply Reply Quote 0
      • L
        LeSilverFox
        last edited by

        Ok, let me add the log to see if this contains any hints towards the solution

        pr 15 17:35:37
        charon: user 'lesilverfox' authenticated
        Apr 15 17:35:37
        charon: 13[IKE] <con1|44>XAuth-SCRIPT succeeded for user 'lesilverfox'.
        Apr 15 17:35:37
        charon: 13[IKE] <con1|44>XAuth authentication of 'lesilverfox' successful
        Apr 15 17:35:37
        charon: 13[ENC] <con1|44>generating TRANSACTION request 3292585543 [ HASH CPS(X_STATUS) ]
        Apr 15 17:35:37
        charon: 13[NET] <con1|44>sending packet: from 192.168.1.20[4500] to blanking out my public ip (76 bytes)
        Apr 15 17:35:37
        charon: 13[NET] <con1|44>received packet: from blanking out my public ip to 192.168.1.20[4500] (76 bytes)
        Apr 15 17:35:37
        charon: 13[ENC] <con1|44>parsed TRANSACTION response 3292585543 [ HASH CPA(X_STATUS) ]
        Apr 15 17:35:37
        charon: 13[IKE] <con1|44>IKE_SA con1[44] established between 192.168.1.20[192.168.1.20]…blanking out my public ip]
        Apr 15 17:35:37
        charon: 13[IKE] <con1|44>scheduling reauthentication in 28222s
        Apr 15 17:35:37
        charon: 13[IKE] <con1|44>maximum IKE_SA lifetime 28762s
        Apr 15 17:35:37
        charon: 13[NET] <con1|44>received packet: from blanking out my public ip to 192.168.1.20[4500] (172 bytes)
        Apr 15 17:35:37
        charon: 13[ENC] <con1|44>unknown attribute type (28683)
        Apr 15 17:35:37
        charon: 13[ENC] <con1|44>parsed TRANSACTION request 1639386844 [ HASH CPRQ(ADDR MASK DNS NBNS EXP VER U_BANNER U_DEFDOM U_SPLITDNS U_SPLITINC U_LOCALLAN U_PFS U_SAVEPWD U_FWTYPE U_BKPSRV (28683)) ]
        Apr 15 17:35:37
        charon: 13[IKE] <con1|44>peer requested virtual IP %any
        Apr 15 17:35:37
        charon: 13[CFG] <con1|44>reassigning offline lease to 'lesilverfox'
        Apr 15 17:35:37
        charon: 13[IKE] <con1|44>assigning virtual IP 192.168.100.1 to peer 'lesilverfox'
        Apr 15 17:35:37
        charon: 13[ENC] <con1|44>generating TRANSACTION response 1639386844 [ HASH CPRP(ADDR DNS U_DEFDOM U_SPLITDNS U_BANNER U_BANNER U_SAVEPWD) ]
        Apr 15 17:35:37
        charon: 13[NET] <con1|44>sending packet: from 192.168.1.20[4500] to blanking out my public ip (172 bytes)
        Apr 15 17:35:37
        charon: 13[NET] <con1|44>received packet: from blanking out my public ip to 192.168.1.20[4500] (300 bytes)
        Apr 15 17:35:37
        charon: 13[ENC] <con1|44>parsed QUICK_MODE request 4242542335 [ HASH SA No ID ID ]
        Apr 15 17:35:37
        charon: 13[ENC] <con1|44>generating QUICK_MODE response 4242542335 [ HASH SA No ID ID ]
        Apr 15 17:35:37
        charon: 13[NET] <con1|44>sending packet: from 192.168.1.20[4500] to blanking out my public ip (172 bytes)
        Apr 15 17:35:37
        charon: 13[NET] <con1|44>received packet: from blanking out my public ip to 192.168.1.20[4500] (60 bytes)
        Apr 15 17:35:37
        charon: 13[ENC] <con1|44>parsed QUICK_MODE request 4242542335 [ HASH ]
        Apr 15 17:35:37
        charon: 13[IKE] <con1|44>CHILD_SA con1{2} established with SPIs cd432968_i 03a2d74a_o and TS 0.0.0.0/0|/0 === 192.168.100.1/32|/0

        Thank you for any suggestions..</con1|44></con1|44></con1|44></con1|44></con1|44></con1|44></con1|44></con1|44></con1|44></con1|44></con1|44></con1|44></con1|44></con1|44></con1|44></con1|44></con1|44></con1|44></con1|44></con1|44></con1|44></con1|44></con1|44></con1|44>

        1 Reply Last reply Reply Quote 0
        • L
          LeSilverFox
          last edited by

          Let me add some additional information; so this afternoon I recreated my IPsec setup on a fresh install of pfsense 2.2.6, still the same problem. The tunnel comes up but with local network set to 0.0.0.0/0 i can not pass traffic. attached are the screen prints of the setup. I hope this helps to identify my issue..
          .

          ![IPsec Phase 2.png](/public/imported_attachments/1/IPsec Phase 2.png)
          ![IPsec Phase 2.png_thumb](/public/imported_attachments/1/IPsec Phase 2.png_thumb)
          ![IPsec Phse 1.png](/public/imported_attachments/1/IPsec Phse 1.png)
          ![IPsec Phse 1.png_thumb](/public/imported_attachments/1/IPsec Phse 1.png_thumb)
          ![IPsec mobile client.png](/public/imported_attachments/1/IPsec mobile client.png)
          ![IPsec mobile client.png_thumb](/public/imported_attachments/1/IPsec mobile client.png_thumb)
          ![FW rules Wan.png](/public/imported_attachments/1/FW rules Wan.png)
          ![FW rules Wan.png_thumb](/public/imported_attachments/1/FW rules Wan.png_thumb)

          1 Reply Last reply Reply Quote 0
          • L
            LeSilverFox
            last edited by

            Issue RESOLVED!. I read on reddit a post with similar problems and it was a NAT configuration. I needed to select auto NAT and everything works just fine (I had manual NAT selected for some reason)
            I hope this maybe useful for someone..

            1 Reply Last reply Reply Quote 0
            • J
              jolebole
              last edited by

              I have the same problem. Can you share which NAT settings did you changed? Thanks

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.